Photo via Times of Malta
Four computer science students, Michael Debono, Luke Bjorn Scerri, Luke Collins, and Giorgio Grigolo are currently under investigation after reporting a security breach they found in the FreeHour app to founder and CEO of the app, Zach Ciappara.
In a statement released by Michael Debono, he stated that the team found “a major flaw in the FreeHour app” back in October 2022. The students were able to identify this flaw by scanning through the app’s software. This vulnerability meant that student information, such as email addresses, location data, and control of their Google calendars were all at risk should this have been discovered by malicious hackers.
Debono’s Facebook statement continued with the following
Drawing on our experience in international cybersecurity competitions and expert guidance, we responsibly informed Freehour about the issue.
Their email was sent to FreeHour on October 18, 2022, along with a request for a “bug bounty”; a reward since the team uncovered this flaw in FreeHour’s back-end system. The students also gave FreeHour three months to fix this flaw before the students would disclose this information to the public.
While FreeHour fixed the issues within 24 hours, with Zach Ciappara stating that “no user data was compromised“, their email was not received how they intended it to. Scerri, Debono, and Grigolo were arrested a month after their email, with their computers and equipment having been seized by the police.
At the time of their arrest, Collins was in England studying for his PhD and he was interviewed when he returned back to Malta for Christmas.
The students were told that their equipment would be returned to them in a matter of weeks, however, they still remain without their computers and other equipment. Debono has spoken out how it has been difficult for him to continue with his education and other responsibilities with his equipment not being available to him.
The police questioned whether the group had been given permission from the team behind the Freehour app to test their systems. To which they explained that since they had identified themselves to the server and were granted access to what they had requested, they had been given authorisation.
The four students are being investigated under Article 337 of the Criminal Code. This states that it is “illegal to access an application without being duly authorised by an entitled person”. This means that the students could potentially face up to 4 years in prison, along with the maximum fine of €23,293.
Ciappara, founder and CEO of FreeHour, contacted the office of the Information and Data Protection Commissioner and the Cyber Crime Unit as soon as he received the email, seeking for advice.
In a statement published by FreeHour, Ciappara stated that FreeHour had no intension of going after the students and that they were trying to stick to their legal obligation. Ciappara also claimed that he was not kept updated with the students’ investigation and that he was made aware of new information today.
Students’ Reaction and Backlash
Several students have taken to social media to voice their opinion on the current situation, with most of them showing solidarity and support with the four mentioned students.
Students have stated how FreeHour should have thanked the students for noticing this vulnerability in the system.
Words cannot even describe how proud I am of my friends who were able to reveal a potential data leak flaw in the system of one of Malta’s most popular mobile apps.
FreeHour Malta – shame on you. A group of students found a flaw in your system and you had them arrested, strip searched, and their devices taken away.
Katrina Cassar, Facebook statement
You had 4 people arrested for pointing out a security flaw in your system, instead of claiming responsibility for your incompetence you push the blame onto someone else. It’s disgraceful and extremely irresponsible.
Instagram comment
As this is an on-going investigation, The Third Eye aims to report accurate and timely information to our readers. We will continue to monitor and report as new information comes to light.